Don’t get hacked! I open dubious PC files in a sandbox. You should too

Every file and every program leaves traces in your system: It accesses other files, uses Windows resources, makes entries in the registry, and possibly installs additional software.

In the best-case scenario, you will only clutter up your Windows if the software’s uninstall routine does not delete all associated files and registry entries. In the worst-case scenario, malware will infect your system or ransomware will encrypt your files.

If you want to try out new programs or open unknown files, it is best to do this in a particularly secure environment that is separate from the running system: This is exactly what a sandbox offers.

If you open a program in a sandbox, it works as expected, but cannot make any permanent changes to the system or access resources outside its environment — the sandbox prevents this, redirects access, and deletes all activities of the program and itself when you close it.

With a sandbox, you can therefore try out new software or install programs from dubious sources with less risk, surf potentially unsafe websites, and keep your system clean.

We will show you various ways of setting up and using a suitable sandbox for programs and files under Windows: These range from Windows on-board resources and virtual systems to browsers and programs with their own sandbox function.

We describe the Sandboxie-Plus software in particular detail — the simplest and most practical sandbox solution for most users.

Further reading: Is a hacker logged into your Google account? Here’s how to tell

Sandbox for the browser

You probably already use a sandbox: Current browsers such as Chrome and Firefox use this protection technology.

They rely on Windows security mechanisms: This has the advantage that they can guarantee a high level of protection without having to use a lot of resources, which could result in websites opening slowly, for example.

Each browser tab is opened in its own sandbox. This prevents Chrome and others from automatically downloading programs on a website or running malicious scripts.

This process also protects against attacks that are executed via a website without an antivirus program raising the alarm (zero-day exploits).

Each tab of the browser runs as an isolated process and has no access to other tabs or the system. It also starts with very limited rights — which is why you usually have to authorize a website’s access to the computer camera, for example.

In addition, the separation of the individual tabs should mean that the crash of a website does not paralyze the entire browser, but only the corresponding tab.

How and whether the browser sandbox works can be observed in the Windows Task Manager: Under “Processes” you can see that numerous other processes are running under the “Google Chrome” entry — these are the separate sandboxes of the individual tabs.

Further reading: How to turn a USB flash drive into a secure login key for your PC

You can find out more details by entering the command

chrome://sandbox/

in the browser address bar: The tabs here are called “Renderer” — this is the function that displays web pages. Each should also appear in the “Sandbox” column and in the next column with the note “Lockdown.”

Like the “Untrusted” entry to the right, this means that this process has very few access rights to the system.

Nevertheless, you should always update your browser, as hackers often try to exploit the sandbox via other security vulnerabilities in order to give scripts and programs on a website more access rights.

Programs with a built-in sandbox

Windows also uses a sandbox for certain programs: Apps from the Microsoft Store — the so-called UWP apps (Universal Windows Platform) — run in an isolated process with reduced rights.

This means they can be uninstalled without leaving any residue. In many cases, you must also authorize them to access files or hardware such as the camera or microphone.

However, only a few users use UWP apps. The more frequently installed standard programs — the so-called desktop apps — run without a sandbox and rights restrictions.

You also give many UWP apps certain rights during installation. You can check what these are before installation on the app page in the Microsoft Store under the entry “This app can” and after installation in the Windows settings under “Privacy > App permissions.”

You can revoke these rights there — although this often means that the app no longer functions correctly.

From version 24H2, Windows 11 also supports a sandbox function for normal programs — Win32 App Isolation. However, manufacturers must incorporate this into their software for the protection to work.

Acrobat Reader offers a secure sandbox function for PDF documents: If you receive a PDF as an attachment from an email or an insecure source, you can prevent code contained in the document from being executed or you from being taken to a nefarious website when you click on a link in the PDF.

To use the PDF sandbox, go to “Settings > Security (advanced)” in the Reader menu and activate the “Enable protected mode on startup” option.

Additional protection is provided by the “Protected view” below, where you can choose whether it should apply to all PDFs or only to those from insecure sources. The Reader then opens the PDF in read-only mode, which means it cannot be filled in and usually cannot be saved or printed.

Free special tool Sandboxie-Plus

The small open source tool Sandboxie-Plus is ideal for running all suspicious files and programs in isolation. You install it as usual under Windows and can then start the desired content directly in a sandbox container.

The complete range of functions of Sandboxie-Plus costs $40 per year: You can pay the programmer directly via Paypal or you can buy a supporter certificate on the website.

For use on a home computer, however, the free basic functions, which we present below, are sufficient.

Sandboxie-Plus is available in versions for standard Windows and for Arm Windows.

The tool can also be installed as a mobile app on a USB stick. After installation, you will be greeted by a setup wizard where you first select the option “Personal, for non-commercial use” for the free functions.

In the next window, you can obtain a so-called evaluation certificate by clicking on the red, underlined text: This allows you to test the software with all functions for 10 days.

Otherwise, click on “Next.” For the user interface, you can choose between an expert and a beginner mode as well as a light or dark mode for the display.

It is best to accept the default settings and click “Next” again. Finish setting up the software in the last window by clicking on “Finish.”

In the following window for the “Global settings,” you do not need to adjust anything and click on “OK.”

Running risky programs in Sandboxie-Plus

Sandboxie-Plus starts with a two-part interface: At the top you will see the entry for a “DefaultBox.” You can start suspicious programs in this box. In the lower window, the tool logs all actions and settings.

The user interface can also be called up by right-clicking on the tool icon in the system tray and selecting “Show / Hide.”

To start software safely in a sandbox, click on “Sandbox > Run in sandbox.” Confirm the settings in the next window with “OK.”

Another window then appears: Enter the name of the software that you want to start in Sandboxie-Plus and confirm with “OK.” If you do not know the exact name or the tool cannot find a program that matches your input, you can call up the software directly with the Explorer via “Search.”

This start procedure is recommended for programs that you have installed but want to start again in the secure environment — for example, your web browser: If you call it up again in the sandbox, you can use it to visit suspicious websites without risk.

The program then starts: The corresponding EXE file appears in the top window of Sandboxie-Plus.

You can recognize that software is running in the sandbox by two features: Its name in the program window begins and ends with a diamond symbol — for example, if you open the Chrome browser in the sandbox and drag the mouse to its icon in the taskbar, it will say [#] New Tab – Google Chrome [#].

If you move the mouse to the top edge of the program window, a yellow frame appears. There is also a window finder in Sandboxie-Plus under “Sandbox — Is the window in a sandbox?”

There, click on the circle in the small program window on the left, hold down the left mouse button and release it in the window of the program whose status you want to check: The answer to the question will then appear in the window finder.

Sandboxie-Plus is also entered in the context menu of Windows Explorer: You can then call up the desired program with a right-click and the command “Start Sandboxed.”

For example, software that you have just downloaded can be installed in the sandbox by starting the corresponding EXE or installation file with Sandboxie-Plus.

It is advisable to run each program and each file in its own sandbox: When starting via Sandboxie-Plus or the context menu, select the entry “Run in a new sandbox” in the next window and then “Standard sandbox.”

You can also give each sandbox a meaningful name here.

Important programs can be started particularly quickly in Sandboxie-Plus, for example your browser, your email program, or Windows Explorer: Click on an existing sandbox in the top right-hand corner of the tool window.

Then select “Start > Standard programs” and then the desired software.

Open and check suspicious files

Like programs, individual files can also be opened in an isolated sandbox. Sandboxie-Plus starts the default program for this file — for example Word for a DOCX file.

If the program crashes, change a setting in Sandboxie-Plus: Open the file in a new sandbox as described. In the window in which you select “Standard Sandbox” as the box type, tick the “Configure advanced options” option at t